Add polkit rule to authorize zincati to perform upgrades

Change is brought forward from: https://github.com/coreos/zincati/pull/59 Signed-off-by: Robert Fairley <rfairley@redhat.com>
2019-07-04 16:00:32 +00:00 · 2019-07-04 16:00:32 +00:00 · 176cce2e58
parent bbee803c11
commit 176cce2e58
2 changed files with 37 additions and 1 deletions
--- a/0001-dist-add-polkit-rule-for-rpm-ostree-59.patch
+++ b/0001-dist-add-polkit-rule-for-rpm-ostree-59.patch
@ -0,0 +1,26 @@
+From 6b98e164cd233fb1a68d49d2b6b9f9bf2c2dcb8a Mon Sep 17 00:00:00 2001
+From: Robert Fairley <rfairley@redhat.com>
+Date: Thu, 4 Jul 2019 09:21:18 -0400
+Subject: [PATCH] dist: add polkit rule for rpm-ostree
+
+Add a polkit rule to allow the `zincati` user to make `deploy` and
+`finalize-deployment` calls to the D-Bus API exposed by rpm-ostree.
+---
+ dist/polkit-1/rules.d/zincati.rules | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100644 dist/polkit-1/rules.d/zincati.rules
+
+diff --git a/dist/polkit-1/rules.d/zincati.rules b/dist/polkit-1/rules.d/zincati.rules
+new file mode 100644
+index 0000000..2171bde
+--- /dev/null
+++ b/dist/polkit-1/rules.d/zincati.rules
+@@ -0,0 +1,8 @@
+// Allow Zincati to deploy, and finalize a staged deployment through rpm-ostree.
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.projectatomic.rpmostree1.deploy" ||
+         action.id == "org.projectatomic.rpmostree1.finalize-deployment") &&
+        subject.user == "zincati") {
+        return polkit.Result.YES;
+    }
+})
--- a/rust-zincati.spec
+++ b/rust-zincati.spec
@ -6,7 +6,7 @@

 Name:           rust-%{crate}
 Version:        0.0.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Update agent for Fedora CoreOS

 # Upstream license specification: Apache-2.0
@ -15,12 +15,16 @@ URL:            https://crates.io/crates/zincati
 Source:         %{crates_source}
 # Initial patched metadata
 Patch0:         zincati-fix-metadata.diff
+# Add polkit rule to authorize zincati to perform upgrades https://github.com/coreos/zincati/pull/59
+Patch0001:      0001-dist-add-polkit-rule-for-rpm-ostree-59.patch

 ExclusiveArch:  %{rust_arches}

 BuildRequires:  rust-packaging
 BuildRequires:  systemd-rpm-macros

+Requires:       %{_datadir}/polkit-1/rules.d
+
 %global _description %{expand:
 Update agent for Fedora CoreOS.}

@ -47,6 +51,7 @@ Summary:        %{summary}
 %{_unitdir}/zincati.service
 %{_sysusersdir}/50-zincati.conf
 %{_tmpfilesdir}/zincati.conf
+%{_datadir}/polkit-1/rules.d/zincati.rules

 %pre         -n %{crate}
 %sysusers_create_package %{crate} 50-zincati.conf
@ -84,6 +89,8 @@ install -Dpm0644 -t %{buildroot}%{_sysusersdir} \
  dist/sysusers.d/*.conf
 install -Dpm0644 -t %{buildroot}%{_tmpfilesdir} \
  dist/tmpfiles.d/*.conf
+install -Dpm0644 -t %{buildroot}%{_datadir}/polkit-1/rules.d \
+  dist/polkit-1/rules.d/*.rules

 %if %{with check}
 %check
@ -91,6 +98,9 @@ install -Dpm0644 -t %{buildroot}%{_tmpfilesdir} \
 %endif

 %changelog
+* Thu Jul 04 2019 Robert Fairley <rfairley@redhat.com> - 0.0.2-6
+- Add polkit rule to authorize zincati to perform upgrades https://github.com/coreos/zincati/pull/59
+
 * Tue Jul 02 2019 Robert Fairley <rfairley@redhat.com> - 0.0.2-5
 - Add missing owned directories, tidy owned files list